Release prep for 0.6.1

CHANGELOG.md

@@ -2,6 +2,13 @@
 
 All notable changes to this project will be documented in this file.
 
+## [0.6.1] - 2024-05-20
+
+### Security
+
+- Use a constant-time Base64 encoder to encode and decode secret key material.
+  This patch fixes a potential side-channel vulnerability[[1](https://arxiv.org/abs/2108.04600)] ([#156](https://github.com/matrix-org/vodozemac/pull/156)).
+
 ## [0.6.0] - 2024-05-06
 
 ### Security Fixes

Cargo.toml

@@ -6,7 +6,7 @@ authors = [
 name = "vodozemac"
 description = "A Rust implementation of Olm and Megolm"
 repository = "https://github.com/matrix-org/vodozemac"
-version = "0.6.0"
+version = "0.6.1"
 edition = "2021"
 keywords = ["matrix", "chat", "messaging", "olm", "cryptography"]
 license = "Apache-2.0"
@@ -29,6 +29,7 @@ low-level-api = []
 aes = "0.8.4"
 arrayvec = { version = "0.7.4", features = ["serde"] }
 base64 = "0.22.1"
+base64ct = { version = "1.6.0", features = ["std", "alloc"] }
 cbc = { version = "0.1.2", features = ["std"] }
 curve25519-dalek = { version = "4.1.2", default-features = false, features = ["zeroize"] }
 ed25519-dalek = { version = "2.1.1", default-features = false, features = ["rand_core", "std", "serde", "hazmat", "zeroize"] }

cliff.toml

@@ -39,6 +39,7 @@ commit_preprocessors = [
 ]
 # regex for parsing and grouping commits
 commit_parsers = [
+    { message = ".*[sS]ecurity", group = "Security"},
     { message = "^feat", group = "Features"},
     { message = "^fix", group = "Bug Fixes"},
     { message = "^doc", group = "Documentation"},
@@ -49,7 +50,6 @@ commit_parsers = [
     { message = "^chore\\(release\\): prepare for", skip = true},
     { message = "^chore", skip = true},
     { message = "^ci", skip = true},
-    { body = ".*[sS]ecurity", group = "Security"},
 ]
 # filter out the commits that are not matched by commit parsers
 filter_commits = true

src/megolm/session_keys.rs

@@ -14,15 +14,13 @@
 
 use std::io::{Cursor, Read};
 
+use base64ct::Encoding;
 use serde::{Deserialize, Serialize};
 use thiserror::Error;
 use zeroize::Zeroize;
 
 use super::ratchet::Ratchet;
-use crate::{
-    utilities::{base64_decode, base64_encode},
-    Ed25519PublicKey, Ed25519Signature, SignatureError,
-};
+use crate::{Ed25519PublicKey, Ed25519Signature, SignatureError};
 
 /// Error type describing failure modes for the `SessionKey` and
 /// `ExportedSessionKey` decoding.
@@ -36,7 +34,7 @@ pub enum SessionKeyDecodeError {
     Read(#[from] std::io::Error),
     /// The encoded session key wasn't valid base64.
     #[error("The session key wasn't valid base64: {0}")]
-    Base64(#[from] base64::DecodeError),
+    Base64(#[from] base64ct::Error),
     /// The signature on the session key was invalid.
     #[error("The signature on the session key was invalid: {0}")]
     Signature(#[from] SignatureError),
@@ -93,7 +91,7 @@ impl ExportedSessionKey {
     pub fn to_base64(&self) -> String {
         let mut bytes = self.to_bytes();
 
-        let ret = base64_encode(&bytes);
+        let ret = base64ct::Base64Unpadded::encode_string(&bytes);
 
         bytes.zeroize();
 
@@ -102,7 +100,7 @@ impl ExportedSessionKey {
 
     /// Deserialize the `ExportedSessionKey` from base64 encoded string.
     pub fn from_base64(key: &str) -> Result<Self, SessionKeyDecodeError> {
-        let mut bytes = base64_decode(key)?;
+        let mut bytes = base64ct::Base64Unpadded::decode_vec(key)?;
         let ret = Self::from_bytes(&bytes);
 
         bytes.zeroize();
@@ -268,7 +266,7 @@ impl SessionKey {
     /// to a string using unpadded base64 as the encoding.
     pub fn to_base64(&self) -> String {
         let mut bytes = self.to_bytes();
-        let ret = base64_encode(&bytes);
+        let ret = base64ct::Base64Unpadded::encode_string(&bytes);
 
         bytes.zeroize();
 
@@ -277,7 +275,7 @@ impl SessionKey {
 
     /// Deserialize the `SessionKey` from base64 encoded string.
     pub fn from_base64(key: &str) -> Result<Self, SessionKeyDecodeError> {
-        let mut bytes = base64_decode(key)?;
+        let mut bytes = base64ct::Base64Unpadded::decode_vec(key)?;
         let ret = Self::from_bytes(&bytes);
 
         bytes.zeroize();

src/olm/account/mod.rs

@@ -384,11 +384,11 @@ impl Account {
     /// ability to hold more one-time keys compared to the [`libolm`]
     /// variant.
     ///
-    /// ⚠️  ***Security Warning***: The pickle key will get expanded into both an
-    /// AES key and an IV in a deterministic manner. If the same pickle key
-    /// is reused, this will lead to IV reuse. To prevent this, users have
-    /// to ensure that they always use a globally (probabilistically) unique
-    /// pickle key.
+    /// ⚠️  ***Security Warning***: The pickle key will get expanded into both
+    /// an AES key and an IV in a deterministic manner. If the same pickle
+    /// key is reused, this will lead to IV reuse. To prevent this, users
+    /// have to ensure that they always use a globally (probabilistically)
+    /// unique pickle key.
     ///
     /// [`libolm`]: https://gitlab.matrix.org/matrix-org/olm/
     ///

src/types/ed25519.rs

@@ -15,6 +15,7 @@
 use std::fmt::Display;
 
 use base64::decoded_len_estimate;
+use base64ct::Encoding;
 use curve25519_dalek::EdwardsPoint;
 #[cfg(not(fuzzing))]
 use ed25519_dalek::Verifier;
@@ -226,7 +227,7 @@ impl Ed25519SecretKey {
     /// otherwise an unintentional copy of the key might exist in memory.
     pub fn to_base64(&self) -> String {
         let mut bytes = self.to_bytes();
-        let ret = base64_encode(bytes.as_ref());
+        let ret = base64ct::Base64Unpadded::encode_string(bytes.as_ref());
 
         bytes.zeroize();
 
@@ -242,9 +243,16 @@ impl Ed25519SecretKey {
                 length: decoded_len_estimate(input.len()),
             })
         } else {
-            let mut bytes = base64_decode(input)?;
-            let mut key_bytes = [0u8; 32];
+            // Ed25519 secret keys can sometimes be encoded with padding, don't ask me why.
+            // This means that if the unpadded decoding fails, we have to attempt the padded
+            // one.
+            let mut bytes = if let Ok(bytes) = base64ct::Base64Unpadded::decode_vec(input) {
+                bytes
+            } else {
+                base64ct::Base64::decode_vec(input)?
+            };
 
+            let mut key_bytes = [0u8; 32];
             key_bytes.copy_from_slice(&bytes);
             let key = Self::from_slice(&key_bytes);
 

src/types/mod.rs

@@ -46,6 +46,8 @@ impl KeyId {
 pub enum KeyError {
     #[error("Failed decoding a public key from base64: {}", .0)]
     Base64Error(#[from] base64::DecodeError),
+    #[error("Failed to decode a private key from base64: {}", .0)]
+    Base64PrivateKey(#[from] base64ct::Error),
     #[error(
         "Failed decoding {key_type} key from base64: \
         Invalid number of bytes for {key_type}, expected {expected_length}, got {length}."